Dear Gurus, Background Information Part: We rent an IP Address Block and a DNS zone. [We have to pay the annual fees, so they are renting, yes? :-) ] We run our own DNS authoritative server, with DNSsec on. We register our IP block on both IRR and ROA, and monitor them both for ‘poisoning records’. Authority over DNS records, ROAs, and BGP table are with us, but authority over the Web Servers are (naturally) not. Question Part: 1. How (or where) can I monitor/control such that no one can ‘map’ my IP addresses to external FQDNs [hijacking my IPs] without me knowing about it? 1.1. My understanding is that, as long as I control the authoritative (DNSsec)server and people out there validate the DNS responses, hijacking my IPs outright for use somewhere else is (theoretically) impossible, yes? [leaving out Route Hijacking for now] 2. But, web admins can still essentially ‘rent out’ part or whole of my websites by hosting 'forreign' pages/codes and allowing in ‘external redirection’ from outside (to use my hardware! my IPs!) anyway, yes? 3. How (or where) can I monitor/control such that no one can ‘map’ FQDNs from within my DNS zone to external IP addresses [hijacking my hostnames] without me knowing about it? 3.1. My understanding is that, web admins can write all sorts of ‘redirect’ in such a way that parts or even my whole websites can be ‘hosted’ on external IPs/hardware, yes? 4. Does that mean I need a big Web Application Firewall (WAF) or something worse to monitor/control those above scenarios? The thing is, no one should be able to use organization resources [IPs, FQDNs, and Web Services, for a start] for his/her own purpose without asking permission. Thanks in advance for any pointers, -- Pirawat.